Safeguarding your information and reputation against cyber threats

Cyber Security

There can be no doubt that cyber threats are real. Cyber Essentials is a Government-backed and industry supported scheme that guides businesses on how to protect against cyber threats. The Cyber Essentials scheme provides a secure foundation for your IT system. Implementation of these controls can significantly reduce your risk ofcyber-attack.

In addition to Cyber Essentials, the MOD, working jointly with Industry and other Government departments, has created the Defence Cyber Protection Partnership (DCPP) to ensure that it and its supply chain are appropriately protected from cyber threats.

your people with the latest knowledge and skills in cyber security, helping them develop a deeper understanding of security threats and appropriate mitigations.

your organisation with the advice, guidance and support to establish or improve its policies and procedures, leading to a well-developed and robust security posture supported by an aware and mindful workforce;

As an industry leader, we offer a comprehensive range of courses, from foundation awareness to advanced courses, all to the highest and most up to date standards delivered by either e-learning or as live-classes.

Defence cyber protection partnership (DCPP)

The MOD introduced Cyber Protection requirements for all new procurements from 1 January 2016. All suppliers in MOD supply chains must hold a Cyber Essential Certificate prior to contract or subcontract award.

The DCPP Cyber Security Model will require some suppliers to ensure additional cyber security controls, over and above Cyber Essentials, are in place ahead of contract award depending on the level of risk identified.

MASS can help you implement Cyber Essentials for both your organisation and your supply chain.

Cyber Essentials Customer Helpline

We are delighted to announce the MASS Cyber Essentials helpline, which is available free of charge. To qualify you need to be a MASS customer. The helpline provides access to expert technical IT security, risk and compliance advice in line with the Government Cyber Essentials Scheme. Benefits of using the helpline include:

Improving your current IT system;

Advice on compliance requirements to progress to CE Plus certification; or

Information Assurance

MASS offers its clients audit and review services that encompass both technical and procedural audits against recognised standards. Our blend of audit approaches ensures we will deliver insightful and pragmatic recommendations.

MASS Security Architects hold industry qualifications and are experienced in the design of highly secure architectures that meet the rigours of UK Government and Defence assurance requirements.

MASS Risk consultants carry out risk assessments based on qualitative or quantitative methods, which can help organisations to understand the threats they face, and provide the necessary justification for cost effective investment in information security.

MASS Risk consultants work with your existing teams to develop risk tolerance criteria and define risk management strategies, that are designed to establish the framework to mitigate the likelihood of loss and impact to organisations.

Provide Project Management support to transitional or systems integration programmes, using traditional or agile approaches

Chair or participate in an organisation Technical Design Authority (TDA)

Risk Assessments

Value to you

Business relationships are continually evolving, these include greater reliance on third parties and an expansion of typical technology and security boundaries. Engaging the services of a MASS risk consultant delivers a variety of benefits to organisations, that provide the basis for competitive advantage. You will:

Risk Management

Value to you

The increase in external relationships, emergence of advanced and persistent threats and evolving legislative and regulatory environment, means that risk management must be an enterprise-wide integrated business function. Risk management consultancy support:

The application of cost effective risks mitigation strategies

Support seamless adoption of new regulations and legislation

Enhance resilience to the consequences of evolving threat and risk landscapes

Demonstrate risk competence to your business stakeholders and customers

Be better placed to accept new business opportunities and improve your competitive advantage

What we do:

Support existing risk management programmes through the creation of bespoke policies

Work with stakeholders to define risk management criteria

Develop or advise on the creation of business continuity plans

Interpret threat intelligence and risk assessments in the context of your business

Cyber training

The UK Government has categorised cyber attacks as a Tier One threat to national security, alongside international terrorism. The cost of a single cyber security incident can easily reach six-figure sums and any damage to a company's reputation could lead to dramatic loss of profits or future business.

To help mitigate such risks, your staff need to have the latest knowledge in cyber security. MASS can help your people develop a deep understanding of potential security threats, and the countermeasures you can develop or adopt. Cyber Security training helps to protect corporate assets, and having appropriately trained staff will immediately be apparent to the bottom line.

Working in partnership, MASS is offering, in the UK for the first time, an e-learning library with courses designed to teach all members of an application development team, from quality assurance professionals to software developers, about the importance of secure practices in the application development process.

Cyber Essentials Self-assessment

The Cyber Essentials Scheme self-assessment is the entry level of certiﬁcation awarded on the basis of a completed self-assessment questionnaire. Sign up via our portal, contact us or call us on +44(0)1480 222600 if you would like to discuss your options.

Once we have received your payment, we will set up your on-line assessment account, and you can then complete the on-line self-assessment questionnaire. One of our Cyber Essentials Technical Auditors will then assess your submission in order to issue your Cyber Essentials Certification. Our fee for the on-line assessment service starts from £300.

Support for the Cyber Essentials Self-assessment

We will provide you with support to make completing the assessment and achieving Cyber Essentials certification as effortless as possible. Here’s how;

Sign up for the self-assessment via our portal. We can then liaise with you to determine the best time to work with you.

One of our Cyber Essentials Technical Auditors will work with you to complete the Cyber Essentials assessment. Where necessary, they will explain shortfalls to you and help you to address them and become compliant with the certification standard.

Where necessary, the Auditor will work with you to help introduce any new security practices into your business.

When you are content you can submit the completed questionnaire on-line to our certification team.

One of our Cyber Essentials Technical Auditors will then assess your submission in order to issue your Cyber Essentials Certification.

Cyber Essentials Plus Certification

Having completed the Cyber Essentials certification, you may wish to undergo a more thorough assessment. Our specialist team will perform a security vulnerability test on your key systems to test your approach to cyber security. We will provide you with a report on our findings, indicating any major areas of weakness that were exposed and what can be done to address them.

Once those areas of concern have been addressed to the level required for certification, we will issue you with your Cyber Essentials Plus certificate. Please contact us or call us on +44(0)1480 222600 to find out more.

General Security Awareness Training

Length: Module length varies from 30 minutes to 70 minutes but can be tailored to fit with an organisation's requirement.

Audience: Each module can be further tailored to target particular audience groups.

The cost of a single cyber security incident can easily reach six-figure sums and any damage or loss to a company's reputation could lead to dramatic loss of profits or future business. Security Awareness fundamentally underpins the security mechanisms in place to protect corporate assets. Providing company staff with a general understanding of the threats to security and the countermeasures they can or should adopt can greatly reduce the risk of security breaches. The awareness modules outlined below can be selected as required and delivered as individual sessions or 2 or more combined to provide a more robust insight into the threats associated with IT systems and the risks to information security.

Modules

The Threat

An overview of Cyber threats to organisations, outlining the impacts of cyber security incidents as well as tactics and strategies to aid cyber defence.

Physical Security

Gives computer users a basic understanding of the layers of defensive tactics employed to protect Information and Information Systems.

Passwords

Designed to provide users with an understanding of the importance of strong passwords along with some simple techniques to assist users in choosing and managing their passwords.

Data / Information Security

An overview of data and information security best practices, including data classification, data transfer and storage as well as providing an overview of data protection legislation and international standards.

Home Computer Security / Home Working

Provides additional guidance for protecting systems and data within a user's home network environment, including firewalls, update and backup strategies.

Mobile Working

Intended to provide an understanding of the additional threats to systems and data when working remotely. Guidance on preventative measures is drawn from public best practices.

Bring Your Own Device (BYOD)

This module aims to introduce users to the growing trend of BYOD, analysing the Pros and Cons as well as providing guidance on BYOD policy considerations.

Communication Security

An introduction to the threats posed to communications by the use of e-mail, Wi-Fi, Bluetooth and Radio Frequency Identification. This module intends to give users an overview of how weaknesses in these technologies can be mitigated.

Browsing / Safe Internet Use

This module will discuss the relative similarities of the common web browsers, how they work and the threats posed to web browsing. Guidance and information about resources to assist users in safe internet use.

Phishing

This module takes a detailed look at what phishing is, why it poses a threat and how users can minimise their exposure to phishing attacks.

Reducing the Cyber Risk - 10 Key Steps

Length: 3 - 5 days.

Audience: This course is aimed at IT Managers or Information Security Practitioners.

In 80% of cyber attacks, it is considered that basic risk management would have prevented the attack. By taking steps to review and invest to improve security in a number of key areas, your business can concentrate their efforts on defending against the remaining 20% of attacks. This course will consider the 10 key areas for managing the risk to information and provide guidance and methodology to aid in the development of policies and processes.

Privacy Impact Assessments

The 2008 Data Handling Review, which was commissioned by the Government as a result of two major personal data losses, reported in June 2008. One of the mandatory requirements was that Privacy Impact Assessments (PIA) must be conducted on certain initiatives. To meet legal obligations in terms of the Data Protection Act 1998 a Privacy Impact Assessment must be conducted on any new and in-service project.

Course Content

Background information on the Privacy Impact Assessment

Privacy explained, the PIA process and compliance with the Data Handling Review.

Managing a Privacy impact Assessment

Conducting a Privacy Impact Assessment

Data Protection Compliance Checklist

Determining whether personal data on a system is afforded appropriate protection.

Developing a Forensic Readiness Plan

Length: 1 - 2 days.

Audience: This course is aimed at IT Managers or Information Security Practitioners.

Forensic readiness is the ability of an organisation to maximise its potential to use digital evidence whilst minimising the costs of an investigation.

How an organisation’s staff initially reacts when discovering a security breach is of paramount importance. Without a formal forensics readiness plan, digital forensic evidence could be tampered with, changed, mismanaged or lost completely causing any post incident investigation to stumble or fail.

This course will demonstrate the importance of such a plan, its goals and benefits, whilst giving clear guidance on the concepts, key principles and the plan’s formulation.

Course Content

Introduction and background

Introduction to digital forensics.

Concepts and Overview

Defines the key terms associated with forensic readiness and gives an overview of how these should be adopted by an organisation.

Business Drivers

Benefits of having a forensics readiness plan, risks of not having one and costs associated with forensic readiness.

Common Principles

Looks at the common principles of forensic readiness and how organisations should consider the extent of applicability of each principle.

Development of plan

An overview of key content and associated planning practices required for the creation of a suitable forensic readiness plan.

Incident Management Requirements

Length: 1 - 2 days.

Audience: This course is aimed at IT Managers or Information Security Practitioners.

In the high tech world of today, security incidents are inevitable, when they occur organisations need to have the ability to identify, assess and manage the response quickly and efficiently. In order to achieve this, a pre-planned strategy with full support from senior management, well-rehearsed processes and formal procedures need to be in place to minimise the business impact of such events.

This course will cover key principles and approaches to security incident management, implementation, reporting and in some cases mandatory legal requirements and activities.

Course Content

Introduction and Overview to Incident Management

A look at business drivers, responsibilities, accountabilities and standards.

Key Common Principles

Examine the five significant principles for an effective incident management capability.

An Holistic Approach

Understanding how security weaknesses in one area could have a profound effect on other areas.

Implementation

What to consider when deciding on the best implementation of security incident management for your organisation.

Requirements and Documentation

Clarification of formal requirements, accountabilities and official documentation.

Support Agencies

Information and details of support agencies.

Support Documentation

An overview of available support documentation.

Gaining List X Compliance

Length: 2 - 3 days.

Audience: This course is aimed at Senior Managers or Information Security Practitioners.

In order for any contractor to be able to hold government protectively marked assets at their premises, the contractor is required to achieve List X status for that site.

This course will identify the mandatory requirements, baseline controls, roles and responsibilities which have been designed to flexibly provide appropriate levels of protection for sensitive government assets and help to achieve List X status.

Course Content

Understanding the Responsibilities of the Board of Directors

Contractual responsibility for the security of government assets held on the contractor’s premises rests solely with the company Board of Directors.

Mandatory Supervision Requirements

The contractor must create certain appointments to satisfy mandatory requirements for the supervision of the appropriate security aspects.

Roles and Responsibilities

Guidance on mandatory roles and their responsibilities for the protection of protectively marked assets.

Security Instructions

Clear instruction for handling protectively marked assets must be given to and understood by every employee regardless of their role or position in the company.

Homeworking

Guidance on the security requirements and responsibilities of homeworkers and the company security controller.

Control of Visitors

Understanding and exercising the required controls for visitors to the premises.

Un-Cleared Visitor Areas (UVAs)

Required controls and Placing of UVAs.

Inspections by local and regulatory bodies

Understanding the statutory right of entry and legal obligations.

Preparation and Contingency Plans

Inspection by the Joint Arms Control Implementation Group (JACIG).

Change of Ownership or Closure of a List X Contractor

Responsibilities and Obligations.

Protective Monitoring - Developing a Plan

Length: 2 - 3 days.

Audience: This course is aimed at IT Managers or Information Security Practitioners.

Protective Monitoring is a set of business processes, using essential support technology that is required in order to properly oversee how ICT systems are being used and provide suitable accountability for when those systems are abused.

This course demonstrates how the provision of an effective monitoring and alerting framework is an essential contribution to the successful treatment of information security risks.

Understanding the benefits of Protective Monitoring

Protective Monitoring Processes

Understanding the three core processes and further subsidiary processes.

Protective Monitoring Controls (PMCs)

Introduction to the PMCs, their objectives and their relationship to risk assessments.

Applying PMCs based on Applicability

Understanding the application of PMCs in accordance with risk requirements.

Constructing a solution

An overview of current techniques and technologies.

People and Processes

Establishing supporting processes and Roles.

Information Security Incident Management and Forensic Readiness

Guidelines for the implementation of Information Security Incident Management and Forensic Readiness plans.

EncryptingData - Understanding Government Requirements

Length: 1 day.

Audience: This course is aimed at IT Managers or Information Security Practitioners.

The loss of a single laptop or piece of media that does not employ any encryption could cost an organisation up to £500,000. The ICO recommends that organisations using portable equipment to process or transfer sensitive and personal data should encrypt the devices or media using approved products. This course will introduce best practice considerations for encrypting data at rest or when transferring bulk quantities of data.

Course Content

Why is encryption necessary?

Introducing the various recommended best practice and mandatory requirements to practitioners as well as demonstrating why unencrypted devices such as laptops are susceptible to data compromise.

Determining the level of encryption required

Introducing the Business Impact Levels to aid classification of information and what levels of encryption are applicable to the impact levels.

Encryption Standards

We take a look at the Federal Information Processing Standard and discuss each level of the standard as it applies to encryption solutions. This module will help to define which FIPS compliant solutions can be applied to information of different impact level.

Media Encryption for Physical transfers

Alternative solutions for encrypting data on physical media, including the use of file encryption, full disk encryption and hardware or software solutions.

Managing an IT Health Check/Penetration Test

Length: 1 - 2 days.

Audience: This course is aimed at IT Managers or Information Security Practitioners.

Nowadays, Penetration Tests can include a large amount of activities against a multitude of potential targets. Managing these activities effectively and formulating suitable rules of engagement will increase the effectiveness and benefits of such a test. It may also help prevent any one of these activities having a catastrophic effect on the system, thus affecting the productivity of your organisation resulting in loss of revenue and reputation.

It is important to remember that these tests, although an essential contribution to the successful treatment of information security risks, are also a valuable source of information. The information gathered can be used to provide management with assurance in regard to the secure nature of the system or justification for further investment of security measures if required.

Course Content

Planning

How to formulate a test strategy.

Choosing the right type of test

How to assess the level of assurance required.

Develop the scope of work

Identification of attack vectors, targets of attack and application assessments.

Out of scope

Consider what should not be included in the test.

Pre Engagement

Identify what agreements should be in place before the start of the test.

Wash-up meeting

Secure Sanitisation

Length: 1 - 2 days.

Audience: This course is aimed at IT Managers or Information Security Practitioners and can include presentations from a small selection of commercial providers of secure sanitisation and destruction facilities as well as the opportunity to discuss requirements with them directly.

The lack of appropriate controls to sanitise electronic media places organisational information at risk of compromise. Secure sanitisation, in proportion to the confidentiality of the data and the threat, minimises the impact of such compromises. This workshop aims to provide IT and security practitioners with the knowledge and understanding to incorporate secure sanitisation methods in to their organisation's information assurance policies.

Course Content

Policy and Governance

Determine who the decision makers are, understand the requirements for decommissioning and disposal.

The Threat

Techniques and Products

Understand the typical sanitisation methods and those methods to avoid as well as learn where to find utilities and equipment.

Re-use strategies and business impact levels

Understand when sanitisation allows release to other environments operating at different business impact levels.

The secure sanitisation baseline control set

Determining the correct sanitisation method based on the information value.

Conducting Physical Security Assessments for Classified Assets

Length: 1 day.

Audience: This course is aimed at Security Practitioners who have a requirement to safeguard protectively marked assets and who hold at least the baseline personnel security standard (Security Clearance).

The risks from undetected compromise stem primarily from espionage activity (ranging from the traditional Foreign Intelligence Service (FIS) to commercial or industrial attack), but may also come from terrorism, as terror groups have exploited opportunities to access sensitive information in the past. This course will guide you through real assessments using the assessment methodology.

Course Content

The assessment framework, defence in depth, when and when not to use it

Understand when the use of the framework is appropriate, introducing the principal of defence in depth and which documents can be used to support your approach. Introducing the Operational Requirements framework, Catalogue of Security Equipment and Security Policy Framework and their relationship to the assessments.

The assessment questionnaire

Understanding the assessment matrix, where the scores are obtained from and what they mean. Conduct your own assessments against assets under your protection.

The assessment summary and baseline controls

Interpret the summary scores, identifying the flaws in your defence in depth and select appropriate controls to resolve any gaps.

Takeaway tools and techniques

The real worked examples used on the course will aid your understanding of the use of this assessment framework and you will take away a version of the tool developed by our IA practitioners.

Introduction to PCI DSS for Developers

This course will expose application developers to the Payment Card Industry (PCI) Data Security Standard (DSS). The course will provide background and context on why organisations must be PCI compliant, the risk of and penalties for non-compliance, and developer responsibilities associated with PCI DSS requirements. The course will include examples of threats to PCI cardholder data, an overview of PCI-relevant secure coding practices, and methods to maintain PCI compliance over an extended period. This course is designed for developers at all levels of experience and is programming language agnostic. Upon successful completion of this course, students should be able to discuss PCI DSS requirements, apply relevant knowledge to their roles, and be able to demonstrate to PCI assessors that they have completed a basic overview of PCI DSS and secure coding techniques, which partially fulfils PCI DSS Requirement 6.5.

Lesson 1:Overview of PCI DSS Requirements and ComplianceCourse Objectives: After completing this lesson, you should be able to:

Describe the 12 requirements of PCI DSS

Describe the history of PCI DSS

Understand the risk of non-compliance

Lesson 2:The Importance of PCI DSS in the MarketplaceCourse Objectives: After completing this lesson, you should be able to:

Describe the purpose of PCI DSS

Debunk common myths of PCI DSS

Identify threats to cardholder data

Lesson 3:Requirement 6 In-DepthCourse Objectives: After completing this lesson, you should be able to:

Comply with PCI DSS requirements to develop and maintain secure systems and applications

Be familiar with secure system management practices such as:

Patch management

Change control

Code review

Vulnerability scanning

Be familiar with secure software development practices such as:

Input validation

Output encoding

Secure data storage

Overview of Mobile Application Security

This self-paced, e-Learning course provides an introduction to the basic concepts and best practices of secure development for mobile devices, concentrating on Android and iOS. This is the first in our series of Topics in Mobile Application Security courses, which will provide a deeper look into the security issues surrounding mobile devices. Each course will concentrate on a top mobile application vulnerability, using examples from each platform to demonstrate the flaw and approaches to mitigation.

Overview of Mobile Application Security gives a step-by-step guide on how to build a basic threat model for a Smartphone application. This threat model is then used as a framework for making better decisions about how to design and build applications as well as how to test the security of existing applications. By understanding how mobile applications are connected to other systems, developers will understand how mobile applications can be vulnerable and sensitive data exposed.

Lesson 1:Overview of Mobile Application SecurityCourse Objectives: After completing this lesson, you should be able to:

Authentication and Authorisation for iOS/Android

This self-paced, e-Learning course provides an overview of common authentication and authorisation approaches for the Android and iOS platforms. These courses continue the Topics in Mobile Application Security series, which will provide a deeper look into the security issues surrounding mobile devices.

Authentication and authorisation are the first line of defence in securing a mobile application, but they are not fool-proof. Developers need to understand the risks of these techniques, and how to protect against these risks. This course, offered for both iOS and Android, covers industry best practices for protecting a mobile application from malicious users using these methods.

Lesson 1:Authentication and AuthorisationCourse Objectives: After completing this lesson, you should be able to:

Define authentication and authorisation

Describe session management for the platform

Lesson 2:Lack of Data Protection In-TransitCourse Objectives: After completing this lesson, you should be able to:

Explain various scenarios of how data can be exploited in transit

Understand how to protect data in transit for the platform

Lesson 3:Failure to Protect Resources with Strong AuthenticationCourse Objectives: After completing this lesson, you should be able to:

Explain how authentication can be exploitable

Describe authentication schemes can be enhanced on the platform

Lesson 4:Insecure On-Device Credential StorageCourse Objectives: After completing this lesson, you should be able to:

Describe the types of information that can be gleaned from a mobile device

Explain the best practices for secure data storage

Data Protection for Android

This self-paced, e-Learning course provides an overview of techniques for data protection on the Android platform. This course continues the Topics in Mobile Application Security series, which will provide a deeper look into the security issues surrounding mobile devices.

The Android platform has specific facilities for storing and transmitting data. Some security restrictions are built-in to the Android platform, but developers need to take extra steps to ensure more secure protection. This course covers best practices for protecting data on the Android platform.

Lesson 1:Securing Stored DataCourse Objectives: After completing this lesson, you should be able to:

Validation and Encoding for Android

This self-paced, e-Learning course provides an overview of best practices for input validation and output encoding on the Android platform. This course continues the Topics in Mobile Application Security series, which will provide a deeper look into the security issues surrounding mobile devices.

Input validation and output encoding can help ensure that data and networks are kept secure. By understanding the various methods of exploit, mobile developers can help prevent such attacks. This course will help attendees understand how to validate and encode information on the Android platform.

Lesson 1:Protection Against InjectionCourse Objectives: After completing this lesson, you should be able to:

Understand how lack of input validation can be exploited

Explain how to encode untrusted data for display

Lesson 2:Validating Data in Interprocess CommunicationsCourse Objectives: After completing this lesson, you should be able to:

Lesson 3:Validating Data from Third-Party Web ServicesCourse Objectives: After completing this lesson, you should be able to:

Explain how enterprise web services can be exploited

Describe the impact of not using customer permissions

C / C++ Memory Management: Risks and Best Practices

Course duration: 1 hour.

Audience: Software Developers.

C and C++ are widely-adopted, deeply influential, and supported by a tremendous variety of frameworks and development environments. This speaks to the diversity of C/C++ developers and applications. It should also remind developers that C/C++ security risks and exploits are well-known among attackers.

Memory management is the most well-known risk with C/C++, and for good reason. This course will cover memory management fundamentals and common coding flaws that open an application to buffer overflow exploits and other attacks. The course will cover secure coding practices throughout, providing fixes to coding flaws as well as recommendations for comprehensive memory management solutions.

Lesson 1: Overview of C / C++ Memory ManagementCourse Objectives: After completing this lesson, you should be able to:

Introduction to Web Application Security

This self-paced, e-Learning course provides students with the basic concepts and terminology for understanding application security issues. It provides a definition of application-level security and demonstrates how these concerns extend beyond those of traditional infrastructure security. It also provides an explanation of common application security vulnerabilities such as SQL injection, Cross Site Scripting (XSS) and authorisation issues. Armed with this knowledge, developers, QA testers and security personnel can understand and start to be able to address application-level threats.

Lesson 1:Intro & ConceptsCourse Objectives: After completing this lesson, you should be able to:

Explain how intended application functionality differs from the intended functionality and how it is interesting to an attacker

Realise the potential for application inputs to be used as avenues for attack

Lesson 2:Real Case Studies - Notable BreachesCourse Objectives: After completing this lesson, you should be able to:

Appreciate the impact of poor security in production environments

Justify the mitigation effort to minimise exposed attack surfaces

Lesson 3:Application Attack DemonstrationCourse Objectives: After completing this lesson, you should be able to:

Understand the approaches an attacker uses to find application-level vulnerabilities

Understand the potential for malicious use of features in a vulnerable application

Lesson 4:What is Application Security and Why is it Important?Course Objectives: After completing this lesson, you should be able to:

Understand the types of risks the exploitation of XSS vulnerabilities poses to web applications

Secure Architecture and Design

Course duration: 1 hour.

Audience: Software Developers, Mobile Application Developers.

Security testing and remediation are important in a software project to protect the organisation; however, these measures are reactive and can be costly. This self-paced, e-Learning course covers the general concepts and approach to designing secure software architecture from the ground-up. We will discuss finding appropriate solutions for functional security requirements such as authentication, access control, and secure storage. The course also explains how to analyse the architecture for business policy needs and risks from external dependencies. The final section of this course discusses data flow and control flow analysis – data flow diagrams and control flow graphs are explained and utilised.

Lesson 1:Secure Design – Functional Security Requirements and SolutionsCourse Objectives: After completing this lesson, you should be able to:

Identify the potential risks, requirements, and solutions for each of the functional security domains:

Authentication and Session Management

Access Control

Input Validation and Output Encoding

Cryptography and Data Protection

Error Handling and Logging

Communication and HTTP Security

Files and Resources

Lesson 2:Secure Design – Use and Abuse CasesCourse Objectives: After completing this lesson, you should be able to:

Understand how to identify application use and abuse cases and how they are used

Explain how to create a diagram mapping abuse cases to use cases to identify interactions between the system, users, attackers, and security controls

Lesson 3:Secure Architecture – Business Controls and Risks from DependenciesCourse Objectives: After completing this lesson, you should be able to:

Understand how to document and analyse the application’s architecture through the use of the following tools:

External Dependencies

Entry Points

Assets

Trust Levels

Explain the need for business controls to protect an organisation’s systems and assets

Identify and analyse the risks from the application’s infrastructure (platform, frameworks, and system components)

Lesson 4:Secure Architecture – Data Flow and Control Flow AnalysisCourse Objectives: After completing this lesson, you should be able to:

Understand how to create and analyse Data Flow Diagrams (DFDs) and Control Flow Graphs (CFGs)

Use the steps of the STRIDE approach to categorise threats and determine appropriate countermeasures based on the STRIDE category:

Spoofing

Tampering

Repudiation

Information Disclosure

Denial of Service

Elevation of Privilege

Secure Coding for Java

Course duration: 4 hours.

Audience: Software Developers.

Once developers understand the basics, they are in a position to start learning more specific design and coding techniques for Java application security. This self-paced, e-Learning course approaches application security practices and associated vulnerabilities as part of nine lessons. This course is also available in a .NET security training version so that developers learn platform-specific concerns and countermeasures.

Lesson 1:Trust BoundariesCourse Objectives: After completing this lesson, you should be able to:

Describe the concept of trust boundaries and how they apply to application security

Demonstrate an understanding of general approaches for handling trust boundaries in applications

Lesson 2:AuthenticationCourse Objectives: After completing this lesson, you should be able to:

Identify common authentication approaches

Identify common authentication vulnerabilities

Lesson 3:AuthorisationCourse Objectives: After completing this lesson, you should be able to:

Describe common approaches for authorising system access

Describe where authorisation should occur

Demonstrate knowledge of common authorisation vulnerabilities

Lesson 4:Validation and EncodingCourse Objectives: After completing this lesson, you should be able to:

Describe best practices for input validation

Identify common vulnerabilities that proper validation can help address

Lesson 5:Information and Error HandlingCourse Objectives: After completing this lesson, you should be able to:

Describe the risks associated with poor information and error handling

Lesson 6:Non-Repudiation and AuditingCourse Objectives: After completing this lesson, you should be able to:

Describe the value of non-repudiation, separation of duties, and support for auditing

Identify best practices for logging and reporting error conditions

Lesson 7:Data ProtectionCourse Objectives: After completing this lesson, you should be able to:

Demonstrate knowledge of the general concepts of modern cryptography

Describe cryptographic best practices and common mistakes

Identify approaches for handling data classification standards

Lesson 8:Configuration and DeploymentCourse Objectives: After completing this lesson, you should be able to:

Demonstrate knowledge of how proper configuration and deployment can manage the impact of existing vulnerabilities and prevent others

Describe common configuration and deployment flaws and the danger they post to applications

Lesson 9:Defence in DepthCourse Objectives: After completing this lesson, you should be able to:

Describe the concept of defence in depth

Discuss how defence in depth applies to secure design and implementation

Secure Coding for .NET

Course duration: 4 hours.

Audience: Software Developers.

Once developers understand the basics, they are in a position to start learning more specific design and coding techniques for .NET application security. This self-paced, e-Learning course approaches application security practices and associated vulnerabilities as part of nine lessons. This course is also available in a Java security training version so that developers learn platform-specific concerns and countermeasures.

Lesson 1:Trust BoundariesCourse Objectives: After completing this lesson, you should be able to:

Describe the concept of trust boundaries and how they apply to application security

Demonstrate an understanding of general approaches for handling trust boundaries in applications

Lesson 2:AuthenticationCourse Objectives: After completing this lesson, you should be able to:

Identify common authentication approaches

Identify common authentication vulnerabilities

Lesson 3:AuthorisationCourse Objectives: After completing this lesson, you should be able to:

Describe common approaches for authorising system access

Describe where authorisation should occur

Demonstrate knowledge of common authorisation vulnerabilities

Lesson 4:Validation and EncodingCourse Objectives: After completing this lesson, you should be able to:

Describe best practices for input validation

Identify common vulnerabilities that proper validation can help address

Lesson 5:Information and Error HandlingCourse Objectives: After completing this lesson, you should be able to:

Describe the risks associated with poor information and error handling

Application Security Testing

Application security testing is a way for organisations to identify and mitigate security vulnerabilities in their applications. This course covers the general approach used in a security assessment; the lessons identify the steps that take place and the activities that are performed during an assessment. The course covers the tools and techniques that are used to identify and follow-up on vulnerabilities discovered during the baseline and targeted testing steps of an assessment; the following assessment activities are explained: static analysis, dynamic analysis, forensic analysis, penetration testing, and code review. The lessons also describe how to rate vulnerabilities observed during an assessment according to the DREAD rating system and how to explain remediation recommendations in an assessment report.

Lesson 1:General Assessment ApproachCourse Objectives: After completing this lesson, you should be able to:

Identify the steps that take place during a security assessment and explain the purpose of each step

Assessment Preparation

Baseline Review and Testing

Threat Modelling

Targeted Testing

Reporting

Understand the differences between static, dynamic and forensic analysis

Describe the code review process and how to investigate observed vulnerabilities

Understand when to use automated versus manual testing to find different types of security flaws

Lesson 2:Secure Design – Use and Abuse CasesCourse Objectives: After completing this lesson, you should be able to:

Understand how to identify application use and abuse cases and how they are used

Explain how to create a diagram mapping abuse cases to use cases to identify interactions between the system, users, attackers, and security controls

Lesson 3:Secure Architecture – Business Controls and Risks from DependenciesCourse Objectives: After completing this lesson, you should be able to:

Understand how to document and analyse the application’s architecture through the use of the following tools:

External Dependencies

Entry Points

Assets

Trust Levels

Explain the need for business controls to protect an organisation’s systems and assets

Identify and analyse the risks from the application’s infrastructure (platform, frameworks, and system components)

Lesson 4:Secure Architecture – Data Flow and Control Flow AnalysisCourse Objectives: After completing this lesson, you should be able to:

Understand how to create and analyse Data Flow Diagrams (DFDs) and Control Flow Graphs (CFGs)

Use the steps of the STRIDE approach to categorise threats and determine appropriate countermeasures based on the STRIDE category:

Spoofing

Tampering

Repudiation

Information Disclosure

Denial of Service

Elevation of Privilege

Threat Modelling

Course duration: 1 hour.

Audience: Security Professionals and Software Developers.

Threat Modelling is a key practice for organisations wanting to design and develop secure applications as it helps to identify potential security vulnerabilities early in the process when they are inexpensive to fix. This self-paced, e-Learning course walks through the Threat Modelling process step by step so that students understand the value of Threat Modelling and can build threat models for their own systems.

Lesson 1:Threat Modelling: Principles and PracticesCourse Objectives: After completing this lesson, you should be able to:

Understand what Threat Modelling is

Identify when it is appropriate to use

Explain why Threat Modelling is useful

Understand how to use Threat Modelling in application development

Software Security Remediation Basics

The security industry often pays a tremendous amount of attention to finding security vulnerabilities. This is done via code review, penetration testing and other assessment methods. Unfortunately, finding vulnerabilities is only the first step toward actually addressing the associated risks, and addressing these risks is arguably the most critical step in the vulnerability management process. Complicating matters is the fact that most application security vulnerabilities cannot be fixed by members of the security team because they require code-level changes in order to address the underlying issue successfully. Therefore, security vulnerabilities need to be communicated and transferred to software development teams and then prioritised and added to their workloads.

This self-paced, e-Learning course examines steps required to remediate software-level vulnerabilities properly, and recommends best practices organisations can use to be successful in their remediation efforts.

Lesson 1:Software Security Remediation BasicsCourse Objectives: After completing this lesson, you should be able to:

Lesson 2:Phase One - InceptionCourse Objectives: After completing this lesson, you should be able to:

Identify individuals and teams that should be involved in software security remediation projects

Understand how to create a successful timeline and budget

Lesson 3:Phase Two - PlanningCourse Objectives: After completing this lesson, you should be able to:

Understand risks associated with software vulnerabilities and how risk is calculated

Explain how manual and automated testing is used to find and confirm vulnerabilities

Calculate the level of effort needed from various teams

Schedule a software security remediation project

Lesson 4:Phase Three - ExecutionCourse Objectives: After completing this lesson, you should be able to:

Explain the steps and methods necessary to fix vulnerabilities

Understand how to test the quality of vulnerability fixes

Provide metrics used to evaluate a software security remediation project

Cross-Site Request Forgery (CSRF)

Course duration: 20 minutes.

Audience: Security Professionals and Software Developers.

Cross-Site Request Forgery (CSRF) is a serious and often-misunderstood web application vulnerability. This self-paced, e-Learning course goes into detail about the anatomy of a CSRF vulnerability as well as how security analysts can identify CSRF vulnerabilities and how developers can design and build applications resistant to CSRF attacks. Interactive examples and videos demonstrate the subtleties of CSRF vulnerabilities and how malicious attackers exploit them.

Lesson 1:Cross-Site Request Forgery (CSRF) VulnerabilitiesCourse Objectives: After completing this lesson, you should be able to: